1921 |
2020-09-29 09:35
|
S02IVS40GP4N.doc afd9018d26007e0d9686a335801f3370 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://edu.jmsvclass.com/wp-includes/sZmjSq/ http://38.18.235.242/IcKaqWXLrGj/szawWpkr5bo9VpCttEI/qa3aWeZpdQZVO/QnBtCtY/oiWENMkDor61zf1lK/Mfvy1v5UPQP/
|
2
160.153.210.213 38.18.235.242
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1922 |
2020-09-29 09:43
|
hHAiHl284xjimxTyEb7.exe f4e24b367f402e450e1349a9e12e5f28 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://167.71.227.113:8080/N7oz3wlXYGqub32robD/2ac0VOBpE/EaIL6gH5v/ogohG4oKV/
|
2
167.71.227.113 49.243.9.118
|
|
|
6.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1923 |
2020-09-29 10:12
|
Mes_20200929_0697.doc b5a904026f1a39ef2308bf94afea96ac Vulnerability Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://128.92.203.42/3PCga7kiz/0Z2A4bpUCXpHnGVd/r5kxqLjJnC4hQ05W/ruZParGqHycRyKZtfx3/ http://babyshop.webdungsan.com/wp-admin/n/
|
2
103.124.92.99 128.92.203.42
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1924 |
2020-09-29 10:13
|
m2uoji6w.pdf.exe 93bb6e22daed74acd13a9bdc6bcf2f4f VirusTotal Malware PDB unpack itself crashed |
|
|
|
|
2.2 |
M |
18 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1925 |
2020-09-29 10:16
|
cVyk4fksxqUz0Kmh.exe a039f79dfab191ad8c0aadc194baca53 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://128.92.203.42/b3cT/XTE3ge/KGu5mB/
|
1
|
|
|
5.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1926 |
2020-09-29 10:18
|
whe.exe 5c66720dc80a18f0fc5b525d48efd118 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Software crashed |
|
|
|
|
7.4 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1927 |
2020-09-29 10:18
|
fr.exe cbb05276c2da12af44039e256c755219 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Software crashed |
|
|
|
|
7.4 |
M |
49 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1928 |
2020-09-29 10:23
|
견적서_L-Ar_191014-pdf.exe 49cdf06ad4023203ebcf2a279f078aae VirusTotal Malware Buffer PE suspicious privilege Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
6.8 |
|
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1929 |
2020-09-29 10:28
|
moon.exe 89cafef93dbf558c2894364ba4ead754 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Tor ComputerName crashed |
|
|
|
|
11.4 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1930 |
2020-09-29 10:32
|
Rep_2020_09_29.doc ed6428b8d3e8082dbd602561ad399213 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://128.92.203.42/u6Fy3sEK0ifP6z/ http://babyshop.webdungsan.com/wp-admin/n/
|
2
103.124.92.99 128.92.203.42
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1931 |
2020-09-29 10:34
|
raw.exe 2d46889b6d794ac1fcf58bf340c4666a VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee ComputerName DNS |
1
https://paste.nrecom.net/view/raw/a4eca577
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1932 |
2020-09-29 10:35
|
pIJpOlcz.exe fa62345d40283d2935893a10f9456497 VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName DNS Cryptographic key |
1
http://128.92.203.42/nP6noF7Ky6vY4U9Q2MA/cjRryf7FYz1/sMWYqsChHTUqysW/SIQT3XiRK15Hfj9ka/
|
1
|
|
|
6.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1933 |
2020-09-29 10:38
|
Tax Challan.exe f66f4ff235e4119b8231ae6bd22a7aac VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS keylogger |
|
1
|
|
|
12.6 |
|
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1934 |
2020-09-29 10:39
|
견적서_L-Ar_191014-pdf.exe 49cdf06ad4023203ebcf2a279f078aae Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed |
|
|
|
|
13.6 |
|
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1935 |
2020-09-29 11:21
|
zxcv.EXE 92821d6dd83105f5f2d08c43f28fa309 Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed Downloader |
24
http://ferreira.ac.ug/index.php http://nadia.ac.ug/ http://nadia.ac.ug/freebl3.dll http://cnmotoparts.online/gate/libs.zip http://cnmotoparts.online/gate/libs.zip http://nadia.ac.ug/mozglue.dll http://nadia.ac.ug/msvcp140.dll http://cnmotoparts.online/gate/libs.zip http://nadia.ac.ug/nss3.dll http://ferreira.ac.ug/ac.exe http://ferreiranadii.ac.ug/ds1.exe http://ferreira.ac.ug/rc.exe http://ferreira.ac.ug/ds1.exe http://cnmotoparts.online/gate/libs.zip http://ferreiranadii.ac.ug/ac.exe http://ferreiranadii.ac.ug/rc.exe http://ferreira.ac.ug/index.php http://nadia.ac.ug/sqlite3.dll http://cnmotoparts.online/file_handler4/file.php?hash=6cdfdf419af0bd0a62dd40155eca58436ab12ba0&js=6695ee24e4a8273aee2ea33a2bde08662448549b&callback=http://cnmotoparts.online/gate http://ferreira.ac.ug/ds2.exe http://nadia.ac.ug/vcruntime140.dll http://cnmotoparts.online/gate/sqlite3.dll http://nadia.ac.ug/softokn3.dll http://nadia.ac.ug/main.php http://cnmotoparts.online/gate/log.php http://ferreiranadii.ac.ug/ds2.exe http://cnmotoparts.online/gate/libs.zip https://telete.in/brikitiki https://cdn.discordapp.com/attachments/752128569169281083/760175342396112916/Acdk123
|
6
161.117.254.2 162.159.134.233 162.159.138.232 194.5.98.95 195.201.225.248 217.8.117.77
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE AZORult v3.3 Server Response M2 ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
28.6 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|